Impact of Big Data, Cloud, Mobile
and Regulatory Pressure on your IT Risk and Governance Model.
In the recent IBM CIO survey, the earlier released Reputational Risk and IT Study and Global IT Risk Study, topics such as Big Data,
Cloud, Mobile
and Regulatory pressure are top of mind for many CIOs.
How can we understand the impact of all this on the business processes that the
CIO must support these days? Why are so many organizations struggling with
implementing IT GRC programs?
Simply, the impact of all these topics is huge and cannot be handled in silos
any more. Not because of the high cost it will bring and not because you cannot
consolidate the risk impact over these silos. I have clients that spent over
140 hours per week on manual control testing in different systems. This can be
automated and reduced near to zero. The effect of having it in one system will
give you a consolidated view on your IT risk landscape at any time.
Many organizations struggle to implement IT GRC programs because:
- there is no centralized repository to hold all the standards, policies and
regulations
- it is impossible to prioritize risks across the IT organization and to report
on it
- there are many redundant controls, and a complex risk and control infrastructure
- there is no relation / correlation between standards, policies, procedures,
laws and regulations
- there is a lot of manual data collection, and impossible to cosolidate
- there is no mapping and no understanding of IT resources, threats &
vulnerabilities and incidents
To give you an idea of some of the benefits of the breaking down these silos:
1. IBM decreased its own IT risk cycle by 30% by implementing an integrated IT
risk platform.

This 30% decrease was established by optimizing and
automating the risk process, end users are now able to complete the whole risk
cycle in one platform with risk identification, risk assessment, risk
management, risk reporting (real time!) and risk monitoring.

2. Customer decreased their manual IT control test
effort with 140 hours per week only for Segregation of Duties and access
management. This was done by automating control tests.
The regulatory pressure (Cobit, ISO27k, ITIL) on information security forces
organizations to perform hundreds of IT controls in different IT systems. IBM
has developed a set of 100 controls in user management, access management,
segregation of duties and change management and has automated these controls
which reduce the manual work near to zero and gives instant overview of compliance
status and the issues that were found. The controls can reside in disparate
systems but are all reported back into one platform.
As you see there is a lot to win if you take an integrated approach to IT
Governance, Risk and Compliance.

Why IBM?
IBM has always set the standard in IT Goverance by supplying its customers with
solutions in (cyber)security, identity management, access management,
scalability, failover, disaster recovery, business continuity management, IT
process optimization, and IT Governance. All this is now being complemented
with IT Goverance, Risk and Compliance documentation, monitoring and reporting
in Business Analytics (through IBM OpenPages).What can we bring to the table?
IBM can deliver one integrated platform for

With
the increase of the Governance, Risk & Compliance maturity level at many of
my clients I see that clients start to realize the benefits of the integration
of GRC activities in their Performance Management cycle. Therefore a follow up
on my previous article around Risk Management and the convergence with
Performance Management.

Let
me share some insights on Risk & Performance Management initiatives that keep
clients busy around Europe. The following 4
items came up in the last 3 months.

1.Cost control and process performance improvement give us the
opportunity to embed controls in our process. Lessons learned from Six Sigma
and Lean can give us guidance here.

2.How do I manage organizational and regulatory change and monitor
the impact on business processes, policies and my risk and control framework?

3.Trending topic is emerging risks, am I able to identity risks that
are coming to me over time?

Implementing
and testing controls has become a huge cost for many organizations. That is why
some of my clients are now looking for a way to reduce cost by embedding
controls in their existing business processes. This goes hand in hand with the
global initiative on cost reduction. While optimizing or even re designing core
business processes internal controls are being embedded in the process. What I
see is that the organizations that involve process owners and process
contributors are most successful. This is an initiative that we have seen
before in Lean Six Sigma projects. The only way to optimize processes and to
reduce waste is to involve the process owners. Instead of increasing regulatory
pressure we should seek a solution in this area in my opinion. Business cases
around this have proven to be very successful and savings up to millions of
Euros per year have been achieved.

Regulatory change

Regulatory
changes are a huge concern of many risk, compliance, legal and audit
professionals. How can we monitor these changes and how can we understand the
impact on our organization? Taking this together with the fact that policy
management is changing from a ‘must do’ once a year to a continuous process
tells us that an integrated approach to Governance, Risk & Compliance is
necessary to drive performance. I come across clients that have a monthly Performance
Report that shows how they derived business objectives from their policies and
how they are performing on a compliance level to these objectives. What risks
did they identify in this process and how will they respond to these risks?
Organizations realize that they need to understand the correlation between
processes, policies, regulations, business objectives, risks and controls and
how they might impact each other. An integrated GRC view is the only way to
face this challenge.

Emerging Risk Modelling

One
of the trending topics among customers is Emerging Risks. Can we model risks
that we see coming and can we follow up on risks that are getting closer or
fading away? Analytical Risk modeling is an answer to this question. This also
let you perform risk forecasting with different scenarios. Interesting question
is how the increase of a risk exposure in an operating entity will impact my
group level exposure? Risk Analytics, derived from the Performance Management
area can help us answer these questions. A financial performance management
cycle contains the exact same characteristics.

Integrated Financial and
Risk performance reporting

Financial
and Risk reporting are standard items in today’s Annual Reports, Tax
statements, Management reports and Regulatory reports. The big question is how
do I keep all of this information organized in such a way that I understand the
source of the information, the transformation it has gone through, the owner of
the information and most important when information changes at the last moment
that all information output contains the latest version? No bigger reputational
risk than sending out inconsistent information to stakeholders. Some
organizations saw their share price drop with 25% due to inconsistent external
reporting. One of my clients has implemented a solution that orchestrates all
of these information sources with workflow capabilities and even XBRL output.
From a risk perspective this is a great mitigation of your reputational risk
and an excellent example of ‘Where Performance Management meets Risk Management’.

Les
opened with an energy level high as always! Mark gave a great insight in the
financial transformation IBM has gone through and the road ahead. Alison
delivered a key note where the whole room hung on her every word. Astonishing
how Alison can present and what an inspiring lady she is.

Michael
Zerbs has been appointed as the new leader to run the IBM Risk Analytics organization.
Michael was the President and COO of Algorithmics. He is a recognized expert in
risk management for market and credit risk, and has an in-depth understanding
of the key risk management challenges that the financial industry faces today.
He has authored several papers on pricing models and risk management and is a
co-author of Mark-to-Future: A Framework for Measuring Risk and Rewad.

Market Analysts impressed
by IBM Risk Portfolio

Many
analysts could be found in Orlando.
It was mentioned that IBM has by far the best risk analytics portfolio in the
market.

Operational
risk is still strong as ever but Policy & Compliance management, IT Risk
& Governance and Audit capabilities have grown to such maturity level that
IBM is top in Risk Analytics.

Customers are expanding
on their GRC Environment

Clients
speaking at the 2 main event days were all expanding their platform to multi
discipline risk. Especially risk convergence, standardization, enterprise risk
management, IT Risk & Compliance and Fraud & Financial Crimes were
topics that came across many times.

IBM implemented OpenPages

IBM
has implemented OpenPages herself, and demonstrated that at day 2. Deborah
Dunagan, IBM Transformation Executive demonstrated how IBM reduced her risk
cycle times with 30% using IBM OpenPages!

With
all this excitement we are looking forward to another great year and client
success in Risk Analytics.

With the brand-new IBM Cognos Insight you can now connect to your IBM OpenPages environment from your desktop. You always have that moment that you need the information on a report but just a bit different than the standard report provides to you. The solution is here now, IBM Cognos Insight!

Insight is a powerful, intuitive desktop solution, that can read many different data sources from Excel to datawarehouses. Even your real time IBM OpenPages environment!

And it is not only reporting and dashboarding but it also lets you create what if scenarios on the fly! How would my risk exposure be if in one risk category the loss impact increases with 15%? Two clicks and you know the answer! And then you can comment on your report, which gives your colleagues more information on the context the moment you share your workspace.

IBM Watson goes
to work in financial services as a risk expert. One of the largest Financial
Services institutes and IBM now partner to enhance and simplify the consumer
banking experience with faster, more accurate decisions, better risk
assessment, and more targeted customer offers.

IBM Watson is
transforming expectations for how technology can help individuals live and work
in better ways. Its ability to make sense of vast quantities of unstructured
information, communicate in natural human language, learn from experience, and
offer confidence weighted responses is already a game changer in healthcare. Focusing
these capabilities on financial services brings new possibilities for higher
service levels to an expanded set of users.

For those who do
not know IBM Watson, Watson is an artificial intelligence computer system
capable of answering questions posed in natural language, developed in IBM's
DeepQA project. As a test of its abilities, Watson competed on the quiz show
Jeopardy!, in the show's only human-versus-machine match-up to date. In a
two-game, combined-point match, broadcast in three Jeopardy! episodes February
14–16, Watson beat Brad Rutter, the biggest all-time money winner on Jeopardy!,
and Ken Jennings, the record holder for the longest championship streak (74
wins).

Now what will
that bring to our Financial Service clients? Potentially as an assistant to
client service professionals to help deliver evidence-based recommendations
across multiple areas of the bank, including: credit card; private banking;
wealth management; and call centers. Since IBM Watson can think faster than any
human being it is able to make cross checks, prevent fraud, determine risk,
etc. It is able to analyze data such as client information, online news
reports, blogs, Twitter feeds, analyst reports, regulations, credit ratings,
and government securities filings which can help to suggest options targeted to
a consumers' individual circumstances.

Solvency II and the need for Operational RiskSince the European Council has postponed the deadline for Solvency II to January 2014, insurance companies have bought themselves more time to prepare for Solvency II. Most insurance companies are already working on the quantitative side of Solvency (Pillar I of the solvency model, capital requirements) but have not started on the qualitative part (Pillar II, Operational Risk). According to visionaires, the biggest risk for insurers is in Operational Risk!

Interesting enough these organizations do not know how to respond to Own Risk Solvency Assessment (ORSA) requirements and the local regulators are not providing much guidance on this. From what I hear from my clients is that they are looking for guidance how to implement Operational Risk for Solvency II. This is where IBM OpenPages can help you. We have done this for many clients already, even in joint effort with business partners in the risk consulting area.

In fact, Operational Risk is no rocket science. Let me guide you through the process that one of my clients has taken.

1. Risk Governance and CultureThis is a reflection of your policies in place to govern your risks, and the risk culture in your organization. My client reviewed how risk awareness was embedded in the daily processes and which policies were in place to manage risks in the business.

2. Risk Identification and PrioritizationMy client conducted workshops guided by a risk expert to identify risks in the current processes and aligned to the strategic business goals. Through the outcome of risk assessments he was able to prioritize risks.

3. Risk response formulation and Control designNow we understand the impact (also called inherent risk exposure) we can start talking about how to create a risk response. Is a risk response needed, can we assure the risk, can we ignore / accept the risk or should we come up with mitigating controls? And of course since risks are not completely new what controls do we already have in place. Compliance and Audit has played an advising role in the formulation of the response and the (re)design of these controls.

4. Risk monitoringHaving the understanding of our risk environment and the outcome of the risk exposure we started developing risk monitoring by reporting, dashboarding and risk analysis. This gives answers to the questions where are we today and how did we get there? Subjects like risk appetite, risk tolerance and risk limits were formulated.

5. Issue and Action ManagementLast step we took to close the loop was answering the question what will we do about it? What actions will be taken by whom and when? A centralized approach to action management was a great relief to our CRO. Main benefit was the ability to provide auditors and the board with an integrated view on all actions and the follow up progress.

Best practice is to start with a single, but simple risk and control framework. Do not try to automate everything in the first phase, keep it simple first and try to get the basic process of risk management running. Once this is done you can start automation in phase II. Only automate where you can benefit from it, where it will save you significant amount of time.

Phase II is really about automating manual processes. With automation I mean workflow in risk and control assessment processes and alerting & notification. For example coming to a final judgment on risk impact and likelihood has been a manual process where only the final result was stored in the system. Next step to get a better qualified result can be the setup of automated questionnaires / voting system where first a decentralized voting will be done and a centralized final verdict will be held in a group workshop. A decentralized first round has proven to give a better and more effective (read shorter) discussion and a better final judgment on the risk assessments. Another example of automation is the collection of losses. Up till now they were kept in Excel sheets and uploaded in the system. Qualifying the categories in which the loss belongs and the validation of the loss can be a time consuming process. Automating this process will help the person registering the loss to make a correct classification and will speed up the process to validate the loss including the assessment of the impact and the recovery.

Phase III is the step to the next maturity level. You have an understanding now how risks and controls are related to each other, so you can bring KRIs (Key Risk Indicators) in place. With these KRIs in place you will have an early warning system available that helps you respond in a timely manner. This will shorten the time to respond to failures and might even prevent a loss from happening. Also non financial risk dashboards and scenario analysis are steps that fit in this next level of maturity. Scenarios can help you to better calculate your capital requirements. Through risk assessments you can get the business input of what losses are likely to happen in the near and longer future. The more sample data you put in your calculations the better the outcome will be.

The last phase is about automating control testing. Here you start looking for control tests that can be done automatically. Especially control tests performed on a frequent basis and performed systematically might be nominated for automation. Examples can be found in General Ledger systems, like samples of invoices that can all be matched with PO numbers or IT tests (endpoint tests) like are all harddisks containing sensitive data encrypted or do all systems have password changed every month.

In the last 2 months three independent researchers have given their opinion on IBM’s approach to risk management. All 3 are very positive towards the areas of Innovation, Market Presence, Functionality and Enterprise GRC capabilities.

Forrester in the Forresterwave EGRC 2011: The OpenPages platform remains one of the most consistently strong enterprise GRC platforms on the market today. The company’s vision is to enable senior management to make strategic risk and reward decisions to improve business performance and reduce exposure to risks and loss on investments. The OpenPages platform’s GRC management and analytics features are just one example of where this mission will play out."

Gartner in its September update: The OpenPages platform has solid capabilities in all the core functions, has above-average support for ERM and ORM, and is rated very high on financial reporting integrity compliance. It continues to execute consistently on a well-planned road map.”

Chartis published its Risk Top 100 last November with IBM ranked the No.1 vendor in the area of Risk Management. With special rewards for Functionality, Market Presence, Innovation, Fund & Asset Management, Market Risk, Operational Risk and Enterprise GRC.

In the Chartis RiskTech 100 IBM was measured for the first time along the qualitative and quantitative risk capabilities (read the acquisitions of OpenPages and Algorithmics). In the Gartner and Forrester publications the latest Algorithmics acquisition was not taken into account.

Interesting enough researchers praise IBM for immediately adding value to its acquisitions. One year ago IBM was ranked number 7 in the RiskTech 100 and now IBM is on top of the list. Not because the individual products are that good but because the minimal overlap and immediate integrations create added value for customers.

Adding Risk to the area of Business Analytics (Business Analytics is one of the 4 key initiatives of IBM towards 2015, driven by our new CEO Gini Rometty) is a great step into Smarter Risk. Capabilities like predictive intelligence, driver based planning, regulatory reporting, scenario testing, forecasting, dashboarding, scorecarding, reporting and analysis will give a great boost if you apply this to risk. This is where the convergence of performance management and risk management create great value for our customers.>

Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.

Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.

In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.

With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.

Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?

Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.

And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.